- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/html-xss
Language: PHP
Severity: Error
Category: Security
CWE: 79
Cross-Site Scripting (XSS) attacks are a common type of security vulnerability in web applications. XSS attacks occur when an attacker can inject malicious scripts into web pages viewed by other users. These scripts can steal sensitive information, such as login credentials or personal data.
In PHP, this rule can be violated when user input is directly embedded into HTML without proper sanitization. This creates an opportunity for attackers to inject harmful scripts. For instance, if a user enters <script>alert('XSS')</script>
as input, and this input is directly embedded into HTML, every user visiting the page will see an alert popup saying ‘XSS’.
Always sanitize user input before embedding it into HTML. This can be achieved by using the built-in PHP function htmlspecialchars()
. This function converts special characters to their HTML entities, thereby preventing any embedded scripts from executing. For example, instead of writing echo '<h1>' . $input . '</h1>';
, you should write echo '<h1>' . htmlspecialchars($input) . '</h1>';
. This ensures that any user input is treated as plain text and not executable code.
<?php
$input = $_GET["input"];
echo '<h1>' . $input . '</h1>';
<?php
$input = $_GET["input"];
echo '<h1>' . htmlspecialchars($input) . '</h1>';
<?php
header('Content-Type: text/plain');
$input = $_GET["input"];
echo $input;
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products